Running head: SOLVING A COMPLICATED CYBERSECURITY PUZZLE

Strengthening the Nations Cyberspace

Irvin Sandoval
The University of Texas at El Paso

SOLVING A COMPLICATED CYBERSECURITY PUZZLE

2

Abstract
The purpose is to introduce the threats of cyber security, now that cyber-attacks have increased in
the past few years. This paper will cover three important questions that will help the reader
further understand the different views on cyber-security. These three questions will be answered
by providing information of several critics who might agree on the idea or oppose it. More
importantly the paper will also provide a primary research that will fit into who is responsible of
preventing cyber-attacks. The first question will help the reader establish knowledge of cybersecurity by introducing the background and history. The second question will clear up doubts if
whether or not the propose policy strengthens or weakens cyber-security. The last question that
will be discussed in this paper will be, who is mainly responsible for preventing cyber-attacks in
the United States. Finally, the paper will conclude by providing why it is important to know the
history and background, proposed policy and who is helping prevent cyber-attacks in order for
the United States to maintain a strong networking infrastructure.

SOLVING A COMPLICATED CYBERSECURITY PUZZLE

3

Cyber security, the protection of vital systems by provide strong security to prevent
hackers accessing important data, has been a big issue, mainly because of all the information and
data that big companies have lost against cyber criminals because of the lack of security
measures that are not into play. It is important to understand what the issues are when talking
about cybersecurity and know how to protect oneself from attackers. It is also important to know
that cybersecurity is not just something that can be taken for granted and people should know
that cyber attackers are not perpetrated by foreign people but also people within the company
they work in. In order to stop any more breaches the government needs to take control as to who
will be held responsible in the event of a breach. People also need to report any suspicious
activities and escalating any person who does not for the company to the proper department or
higher rank employee.
Given that cyber security poses a major issue among big companies these three questions
will help to better understand what has been done in the past and what will people see in the
future be done about the issues on cyber security:
1. What had been done to stop cyber attackers?
2. Does the current policy strengthen or weaken cyber security?
3. Who is really responsible for preventing cyber-attacks?
This paper will show that if cyber security is not fully strengthened there will be tremendous
amount of attacks and breaches among government sites and big corporations.
What has been done to stop cyber attackers?
Wireless networks have seen many improvements since it first was introduced in the
1990s. New standards have provided users with better signal strength, changes in frequency, and
more importantly security vulnerabilities from the first version. Stanley Wrong (2013) states that

SOLVING A COMPLICATED CYBERSECURITY PUZZLE

4

WEP uses a limited [key] range (0 to 16777215) to choose from and goes on to say that once
the WEP key is revealed, a hacker may transform the [cipher text] into its original form
allowing access to the hacker. Once a hacker obtains the Wi-Fi password, Wrong (2013) states
that they can connect to the Wi-Fi connection and start sniffing packets, by using a method called
a man in the middle (p. 2). A man in the middle is a person who captures all the packets that
travel from a wireless device to the router and acting as an intermediate source of that
information allowing him to see all the information. Luckily for users, the standards changed
slightly in the late 1990s since the new version of Wi-Fi provided better security than the
previous version. Wrong states that Lucent pioneered a 128-bit WEP to extend the WEP key
from 40-bit to 104-bit in order to enhance security (Wrong, 2013, p. 3). This meant that anyone
who was trying to guess the WEP key had to wait longer because a 40-bit password has less
characters than a 104-bit password, so the generator would have to guess those extra characters
that 104-bit supports, making it a bit longer of a process. According to Wrong (2003), a person
wanting to know the Wi-Fi password of a 40-bit could do it with in a couple of minutes or up to
half an hour. That vulnerability meant for a real change, since the intruder could wait however
long he needs for him to know the Wi-Fi password. According to Wrong (2013) networking
companies were aware of this issue and implemented dynamic WEP which consisted of an
idea, to automatically generate short-lived, dynamic broadcast WEP keys and prevent
attackers from eavesdropping the communications (p. 3). Implementing this idea meant that the
router would have to communicate with the device and ask the device for its credentials
depending on the timeframe set, which is why attackers were able to crack WEP keys at first
because that re-authentication was not in place.

SOLVING A COMPLICATED CYBERSECURITY PUZZLE

5

On December 10, 2014 the FBI posted a testimony on their website where Joseph M.
Demarest (2014) talks about how his cyber division department plans on stopping cyber threats,
specifically in the financial sector. He states that in the past it was hard to prosecute an attacker
that was outside the US, but now that they have placed employees all over the world it facilitates
their work on tracking down the attacker (Demarest, 2014, para.10). According to Demarest
(2014), hackers use a range of methods to enrich themselves at others expense and their main
target is the financial sector (para.4). Hackers use various methods of stealing such information
which people use on a daily basis, and it can be hard to spot them. For example Demarest (2014)
states that according to Verizons 2014 Data Breach Report it has found skimmers on an
ATM, gas pump, or POS [point of sale] terminal to read credit card data and have been the
cause of 87 percent of skimming attacks in 2013 (para.5). He goes on to say that as mobile
banking has become more and more convenient to use, hackers have used this to their advantage
and have targeted vulnerabilities in peoples phones by creating a malicious app that will allow
them to fetch that persons credit card number or any information that hold any value in the black
market. He states, such was the case of one of the most sophisticated types of malware the FBI
ever attempted to disrupt the app GameOver Zeus that stole peoples financial information
(para. 6). The game was able to illegally wire money to bank accounts, and it is estimated that
the game caused over $100 million dollars in damages. (Demarest, 2014, para. 6). Now that they
have established plans and relationships on how to combat attackers, the FBI now has the lead in
prosecuting any attackers that try to cause harm through cyber-attacks.
NATO, short for North Atlantic Treaty Organization, is a global treaty organization that
focuses on the liberty and wellbeing of each other, which on their website they provide a timelapse of cyber security threats from 1988 to 2013. NATO states that it all started with a worm

SOLVING A COMPLICATED CYBERSECURITY PUZZLE

6

called The Morris Worm (NATO, n.d., para.1). The Morris worm attacked many computers all
across the United States in 1988 but was not intended to do any harm at all. NATO (n.d.) claims
that the man responsible for the incident was Robert Tapan Morris, who currently works at MIT
as a professor, and he was just wondering how big the Internet was (para. 1). This vulnerability
slowed down many UNIX computers all across the United States and spread like wild fire
(NATO, n.d., para. 1). Almost, if not all, of NATOs timeline of cyberattacks focuses on attacks
against governments that slow down their services and really show how attackers are able to
successfully deploy such attacks.
Does the current policy strengthen or weaken Cyber Security?
The US Government posted on their website five features that they are focusing on in
regards to Cybersecurity. The first thing that they want to focus on is protecting the countrys
critical infrastructure, from cyber threats (Cybersecurity, n.d., para.2). They state that they are
working together with private companies to provide a stronger infrastructure by sharing attacks
and finding solutions to them (Cybersecurity, n.d., para.15). Secondly, they want to improve the
time it takes them to find the people who are attacking the governments network (para. 3). In
order to accomplish this they would have to increase the timeliness and quality of cyber threat
information shared with at-risk private sector entities (Cybersecurity, n.d., para.19). Next, they
want to establish a relationship with governments abroad so they can all be joined together in
order to have a stronger overall network, in which they can communicate without worrying of
outside threats (para. 4). They state that by doing so they will work to create incentives for, and
build consensus around, an international environment in order to value an open, interoperable,
secure, and reliable cyberspace (Cybersecurity, n.d., para.21). Fourth, they want to establish a
strong network within the federal networks and holding agencies accountable if they dont satisfy

SOLVING A COMPLICATED CYBERSECURITY PUZZLE

7

the security measures (para. 5). They state that they will be deploying improved technology to
enable more rapid discovery of and response to threats to federal data, systems, and networks
(Cybersecurity, n.d., para.25). Lastly, they want to partner up with companies in the private
sector to build a department with security savvy people that will be granted higher access, in
which they deal with other things other than passwords (para.6). They state that they want to
develop a cyber-savvy workforce in order to make cyberspace inherently more secure as well
as harness private sector innovation while at the same time continue to respect the privacy
(Cybersecurity, n.d., para.27). By having a strong network in the US, they state that it will help
grow the nations economy and protect our way of life (para. 7). Essentially, the U.S.
government wants to have a well-trained, well prepared, and well secured infrastructure in case
the government or any other company becomes a target of cyberattacks.
A new threat to the US has emerged from the internet which has been extremely essential
to everyday tasks, which can jeopardize many peoples sensitive information if security measures
are not set into place correctly, such as: Social Security numbers, credit card numbers, home
address or anything that identifies the individual. Due to the information that can be leaked, or
hacked, the US has created a Foreign Policy for Cyber Security. But according to Rebecca
Abrahams, a Chief Communications officer at a security technology company and a journalist at
the Huffington Post, and her co-authors Dr. Stephen Bryen and Ziklag Systems (2014) there
seems to be three reasons as to why the policy isnt as strong as the US government thinks it is
(para.4). Abrahams, Bryen and Ziklag (2014) in their article, What's wrong with America's
Cyber Security Policy?, they state that it is not a good idea to grant permission to many
individuals, which allow them to view, for example, ones social security number, because it can
get out of hand. For example, suppose that there are two thousand employees handling social

SOLVING A COMPLICATED CYBERSECURITY PUZZLE

8

security numbers, and out of the two thousand employees one of them steals a social security
number. The investigation will make it difficult for the government to pin point that individual
who stole the information because everyone is accessing the database and everyone is assigned
to doing the same task. The second reason they think the policy doesnt work is because the
packets carrying that information are not secure, not encrypted (para.10). They argue that if there
is someone reading the article that does not believe that what they are saying, to apply for a
passport, which The State Department is supposedly in charge of doing, to some extent, and
they will find that the process will be outsourced to a company you never heard of, run by
people you dont know which lacks strong security (Abrahams, Bryen and Ziklag, 2014,
para.13). The next and final issue they discuss is that all the information that flows on the
internet within the governments private network and classified information sent through the web
has to be protected (para.14). They state that it needs to change since the information that flows
through government and contractor networks are not classified (para. 14). This becomes a big
issue when that information can be leaked, and can cost millions of dollars and even top secret
military ideas. According to them, they state that that was how Lockheed managed to lose
millions of pages of vital documents on very important military stealth aircraft program, the
Joint Strike Fighter (Abrahams, Bryen and Ziklag, 2014, para.15). The authors express
displeasure by saying that these types of leaks affect the US, military wise, because other
countries can replicate their ideas. They also show displeasure by stating that the government
needs a policy to protect 100 percent of its information flows, not just 5 percent as it now does
it should reorganize its policy if they want to avoid a Cyber Pearl Harbor (Abrahams, Bryen
and Ziklag, 2014, para.17; para.19).
Who is mainly responsible for preventing cyber-attacks?

SOLVING A COMPLICATED CYBERSECURITY PUZZLE

9

As tensions of how to combat cyber security in the United States, the director of the
Office of Personnel Management, Katherine Archuleta (2015) has published a notice about their
proposed actions in creating more jobs in the cyber-security field (p.12045). The notice states
that they are asking for no more than 3,000 positions that require unique cybersecurity skills
and knowledge such as incident handling and malware/vulnerability analysis among others
(Archuleta, 2015, p.12045). These future employees would work for the government assisting
with any cyberattacks the nation faces. Also, these people would be considered white hat hackers
because these types of hackers do not pose any threat to the government or another entity,
compared to black hat hackers who their main purpose of hacking is for financial reasons or
destroying data. The notice also states that it will plan on hiring computer scientists, in which
they would help in creating any type of special software that can benefit the Government, as well
as criminal investigators, to help locate evidence that can bring an attacker to justice
(Archuleta, 2015, p.12045). This notice is a short and to the point that states what their plans on
how they plan on implementing those jobs in order to help with combat cybersecurity.
The easiest way for a hacker to steal valuable information or access anything they wish
for is called social engineering. Kevin Newmeyer (2015) states that hackers were able to use
social engineering techniques which allowed the attacker to able to insert malware on to the
networks of multiple banks (para. 2). For example, a typical type of social engineering would be
an instance in which a man walks into a business or corporate headquarters dressed as an officer
and with a fake FBI badge telling the employees that he need access to the server rooms because
he has an order to seize or search the servers. Employees, not knowing about social engineering,
will grant access to the man without speaking with their supervisors or escalating the man to the
IT people. These attackers were able to get away with money from bank accounts that had

SOLVING A COMPLICATED CYBERSECURITY PUZZLE

10

balances of millions of dollars, making the transactions merely invisible (Newmeyer, 2015, para.
2). Their actions show that it is not difficult to hack into systems because of the lack of security
measure of the company or firm in charge of protecting any threats from the outside world. Also,
According to Newmeyer (2015), it is also in the hands of the government to establish a strong
infrastructure. Due to the many cyber threats against companies, their employees and customers,
President Obama has taken action and has signed a second executive order on cybersecurity
issues (Newmeyer, 2015, para. 3). According to Newmeyer (2015) the initiative will replace, or
rather be an improvement on the lessons learned from the 2013 executive order on critical
infrastructure protection. This second executive order will allow the government, under the
Department of Homeland Security and private firms, to share information about threats that are
current and live on the web, which they called Information Sharing and Analysis Organizations
(ISAOs) (Newmeyer, 2015, para. 3). Lastly, Newmeyer (2015) states that although the ISAO is
nothing permanent or something that will stay forever, it will be interesting to observe what can
be achieved with this establishment. If the plan is put into action and it is well organized, the
United States will see a decrease in cyber-attacks across U.S. systems.
In a survey conducted by 32 participants, they were asked their age, if they knew what
social engineering is, if they had the latest software installed on their devices, if they use the
same password across multiple sites and if their current password met the requirements for a
strong password. Interestingly enough the survey, see Figure 1, showed that eighty-seven percent

SOLVING A COMPLICATED CYBERSECURITY PUZZLE

11

Yes; 13%

Yes

No

No; 87%

Figure 1: Do you know what social engineering is?

of the

surveyors

answered that they did not know what social engineering is. The remaining thirteen percent knew
what the social engineering consist of. The results showed that people do not know the threats
that social engineering poses if they work for a big corporation.
Now that hacking has become more of a cyber-terrorism act rather than a hobby, it has
cost companies millions of dollars in damages, forcing the president to fight these hackers by
creating orders designed to stop anymore hacks on American based companies. Paul Ferrillo
(2015), states that he suggested three modification that are highly achievable in the corporate
world that have the potential to make our cyber security world a little better in 2015 (para.6).
He introduces his first suggestion, More Cyber GovernanceMore NIST DiscussionMore
Information Sharing, by mocking a well-known Christmas song; On the first day of Christmas,
my true love gave to me: the NIST cyber security framework (Ferrillo, 2015, para.7; para. 8).
The framework is essentially for companies to realize where they stand and where they see
themselves in the future. Although the framework is not something mandatory on how to
implement security measures or how these companies handle their information, Ferrillo (2015)
states that the framework steers conversation (para. 9) on the handling process of information
which are as follows: identification, protection, detection, respond, and recover. Ferrillos second
modification touches on major issue in the cybersecurity industry that really needs to change

SOLVING A COMPLICATED CYBERSECURITY PUZZLE

12

among big companies, and that is More (and Better) Employee Training and Education (para.
11). This is crucial because hackers can create a fake email server that can end with an .edu, .gov,
.officialatt, and trick someone thinking it is a legitimate email. Once a hacker has gathered their
victims email, they send an infected email and upon opening it, the malware quickly spreads to
the network (Ferrillo, 2015, para. 14). Also, Ferrillo (2015) states that investing in more
training this year would be an even better idea (para. 17). Finally his third modification he states
that having a CISO [Cyber Information Security Officer] lead the data breach can dramatically
reduce the cost of a single file being lost (Ferrillo, 2015, para. 38). These three modifications that
Ferrillo points out will help prevent anymore threats and it will certainly make cyber-attacks for
criminals difficult to think twice
Conclusion
As seen in the paper, it is important to know the dangers of cybersecurity and how people
can avoid compromising their own information as well as everyone elses information. Poor
knowledge of how to prevent a hack can lead to serious data loss or financial loss. If people are
knowledgeable of what happened to prevent attackers from obtaining personal information, they
can at least know that having the latest update on their phone, and not being a victim of social
engineering can be very important. Having a strong cybersecurity will prevent any of the attacks
that have occurred in the past. Without it, cybersecurity will persist and will grow exponentially
if nothing is done to stop the havoc.

SOLVING A COMPLICATED CYBERSECURITY PUZZLE

13

References
Abrahams, R., Bryen, S., & Ziklag, S. (2014, March 31). What's wrong with America's cyber
security policy? Retrieved from Huffington Post:
http://www.huffingtonpost.com/rebecca-abrahams/whats-wrong-withamericas_b_5064467.htmlis
Archuleta, K. (2015, March 5). Excepted service. Retrieved from Federal Register:
https://www.federalregister.gov/articles/2015/03/05/2015-05185/excepted-service
Demarest, J. M. (2014). Cyber security: Enhancing coordination to protect the financial sector.
Washington, D.C.: FBI Government.
Ferrillo, P. (2015, January 20). Changing the cyber security playing field in 2015. Retrieved from
Harvard.edu: http://blogs.law.harvard.edu/corpgov/2015/01/20/changing-the-cybersecurity-playing-field-in-2015/
Government, U. (n.d.). Cybersecurity. Retrieved from Whitehouse:
https://www.whitehouse.gov/issues/foreign-policy/cybersecurity
Newmeyer, K. (2015, February 19). Executive order on cybersecurity: Billion-dollar bank heist.
Retrieved from National Cyber Security Institute:
http://www.nationalcybersecurityinstitute.org/executive-order-on-cybersecurity-billiondollar-bank-heist/
T. h.-a. (n.d.). About NATO review. Retrieved from NATO:
http://www.nato.int/docu/review/2013/cyber/timeline/EN/index.htm

SOLVING A COMPLICATED CYBERSECURITY PUZZLE

14

Wrong, S. (2003, May 20). The evolution of wireless security in 802.11 networks: WEP, WPA
and 802.11 standards. Retrieved from SANS Information Security Training:
http://www.sans.org/reading-room/whitepapers/wireless/evolution-wireless-security80211-networks-wep-wpa-80211-standards-1109